File LEEF Fields

Table of Contents

File LEEF Fields

Example File log in LEEF:

Sep 21 01:52:01 xxx.xx.x.xx 2309 <14>1 2021-09-21T01:52:01.624Z stream-logfwd20-d324e775--09201841-lxtx-harness-b86s logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|17657||TimeReceived=2021-09-21T01:52:00.000000Z	DeviceSN=xxxxxxxxxxxxx	cat=threat	SubType=file	ConfigVersion=10.1	devTime=2021-09-21T01:51:53.000000Z	src=xxx.xx.x.xx	dst=srcPostNAT=xxx.xx.x.xx	dstPostNAT=	Rule=allow-business-apps	usrName=paloaltonetwork\xxxxx	DestinationUser=paloaltonetwork\xxxxx	Application=profinet	VirtualLocation=vsys1	FromZone=datacenter	ToZone=untrust	InboundInterface=ethernet1/1	OutboundInterface=ethernet1/2	LogSetting=rs-logging	SessionID=673161	RepeatCount=1	srcPort=21000	dstPort=12661	srcPostNATPort=22160	dstPostNATPort=6459	proto=tcp	Action=block-url	FileName=totally another fake filename	URLCategory=custom-category	VendorSeverity=Medium	DirectionOfAttack=server to client	SequenceNo=7003061085140561385	SourceLocation=east-coast	DestinationLocation=AU	PacketID=0	FileHash=	ReportID=0	DGHierarchyLevel1=11	DGHierarchyLevel2=0	DGHierarchyLevel3=0	DGHierarchyLevel4=0	VirtualSystemName=	DeviceName=xxxxx	SourceUUID=	DestinationUUID=	IMSI=100002086896379	IMEI=100000001147849194	ParentSessionID=0	ParentStartTime=1970-01-01T00:00:00.000000Z	Tunnel=GTP-U	ContentVersion=50097	SigFlags=0	RuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8	HTTP2Connection=0	DynamicUserGroup=	X-Forwarded-ForIP=xxx.xx.x.xx	SourceDeviceCategory=L-Phone	SourceDeviceProfile=l-profile	SourceDeviceModel=Note 4G	SourceDeviceVendor=Lenovo	SourceDeviceOSFamily=K6	SourceDeviceOSVersion=Android v9	SourceDeviceHost=pan-505	SourceDeviceMac=596703749274	DestinationDeviceCategory=L-Phone	DestinationDeviceProfile=l-profile	DestinationDeviceModel=Note XT	DestinationDeviceVendor=Lenovo	DestinationDeviceOSFamily=K8	DestinationDeviceOSVersion=Android v8	DestinationDeviceHost=pan-506	DestinationDeviceMac=150083646537	ContainerID=1873cc5c-0d31	ContainerNameSpace=pns_default	ContainerName=pan-dp-77754f4	SourceEDL=	DestinationEDL=	HostID=1010101010	EndpointSerialNumber=xxxxxxxxxxxxxx	DomainEDL=	SourceDynamicAddressGroup=	DestinationDynamicAddressGroup=	PartialHash=0	TimeGeneratedHighResolution=2021-09-21T01:51:53.779000Z	ReasonForDataFilteringAction=	Justification=	NSSAINetworkSliceType=fd	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the File field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
Action	action.value	Custom
Application	app	Custom
ApplicationCategory	app_category	Custom
ApplicationSubcategory	app_sub_category	Custom
CloudHostname	cloud_hostname	Custom
CloudReportID	cloud_reportid	Custom
ConfigVersion	config_version.value	Custom
ContainerID	container_id	Custom
ApplicationContainer	container_of_app	Custom
ContentVersion	content_version	Custom
RepeatCount	count_of_repeats	Custom
CortexDataLakeTenantID	customer_id	Custom
DestinationDeviceCategory	dest_device_category	Custom
DestinationDeviceClass	dest_device_class	Custom
DestinationDeviceHost	dest_device_host	Custom
DestinationDeviceMac	dest_device_mac	Custom
DestinationDeviceModel	dest_device_model	Custom
DestinationDeviceOS	dest_device_os	Custom
DestinationDeviceOSFamily	dest_device_osfamily	Custom
DestinationDeviceOSVersion	dest_device_osversion	Custom
DestinationDeviceProfile	dest_device_profile	Custom
DestinationDeviceVendor	dest_device_vendor	Custom
DestinationDynamicAddressGroup	dest_dynamic_address_group	Custom
DestinationEDL	dest_edl	Custom
dst	dest_ip.value	Predefined
DestinationLocation	dest_location	Custom
dstPort	dest_port	Predefined
DestinationUser	dest_user	Custom
DestinationUserDomain	dest_user_info.domain	Custom
DestinationUserName	dest_user_info.name	Custom
DestinationUserUUID	dest_user_info.uuid	Custom
DestinationUUID	dest_uuid	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
DirectionOfAttack	direction_of_attack.value	Custom
DLPVersionFlag	dlp_version_flag	Custom
DomainEDL	domain_edl	Custom
DynamicUserGroup	dynusergroup_name	Custom
EndpointSerialNumber	endpoint_serial_number	Custom
FileName	file_name	Custom
FileHash	file_sha_256	Custom
EventID	file_type	Header
FileURL	file_url	Custom
FromZone	from_zone	Custom
HostID	gp_host_id	Custom
HTTP2Connection	http2_connection	Custom
InboundInterface	inbound_if.value	Custom
InboundInterfaceDetailsPort	inbound_if_details.port	Custom
InboundInterfaceDetailsSlot	inbound_if_details.slot	Custom
InboundInterfaceDetailsType	inbound_if_details.type.value	Custom
InboundInterfaceDetailsUnit	inbound_if_details.unit	Custom
CaptivePortal	is_captive_portal	Custom
IsClienttoServer	is_client_to_server	Custom
IsContainer	is_container	Custom
IsDecryptMirror	is_decrypt_mirror	Custom
IsDecrypted	is_decrypted	Custom
IsDuplicateLog	is_dup_log	Custom
IsEncrypted	is_encrypted	Custom
LogExported	is_exported	Custom
LogForwarded	is_forwarded	Custom
IsIPV6	is_ipv6	Custom
IsMptcpOn	is_mptcp_on	Custom
NAT	is_nat	Custom
IsNonStandardDestinationPort	is_non_std_dest_port	Custom
IsPacketCapture	is_packet_capture	Custom
IsPhishing	is_phishing	Custom
IsPrismaNetwork	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
IsProxy	is_proxy	Custom
IsReconExcluded	is_recon_excluded	Custom
IsSaaSApplication	is_saas_app	Custom
IsServertoClient	is_server_to_client	Custom
IsSourceXForwarded	is_source_x_fwded	Custom
IsSystemReturn	is_sym_return	Custom
IsTransaction	is_transaction	Custom
IsTunnelInspected	is_tunnel_inspected	Custom
IsURLDenied	is_url_denied	Custom
Justification	justification	Custom
K8SClusterID	k8s_cluster_id	Custom
Location	location	Custom
LogSetting	log_set	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
IMEI	monitor_tag_imei	Custom
dstPostNAT	nat_dest.value	Predefined
dstPostNATPort	nat_dest_port	Predefined
srcPostNAT	nat_source.value	Predefined
srcPostNATPort	nat_source_port	Predefined
NonStandardDestinationPort	non_standard_dest_port	Custom
NSSAINetworkSliceType	nssai_network_slice_type.value	Custom
OutboundInterface	outbound_if.value	Custom
OutboundInterfaceDetailsPort	outbound_if_details.port	Custom
OutboundInterfaceDetailsSlot	outbound_if_details.slot	Custom
OutboundInterfaceDetailsType	outbound_if_details.type.value	Custom
OutboundInterfaceDetailsUnit	outbound_if_details.unit	Custom
PanoramaSN	panorama_serial	Custom
ParentSessionID	parent_session_id	Custom
ParentStartTime	parent_start_time	Custom
PartialHash	partial_hash	Custom
Packet	pcap	Custom
PacketID	pcap_id	Custom
PlatformType	platform_type	Custom
ContainerName	pod_name	Custom
ContainerNameSpace	pod_namespace	Custom
ProfileName	profile_name	Custom
proto	protocol.value	Predefined
ReasonForDataFilteringAction	reason_data_filtering	Custom
ReportID	report_id	Custom
ApplicationRisk	risk_of_app	Custom
Rule	rule_matched	Custom
RuleUUID	rule_matched_uuid	Custom
SanctionedStateOfApp	sanctioned_state_of_app	Custom
SequenceNo	sequence_no	Custom
SessionID	session_id	Custom
Severity	severity	Custom
SigFlags	sig_flags	Custom
SourceDeviceCategory	source_device_category	Custom
SourceDeviceClass	source_device_class	Custom
SourceDeviceHost	source_device_host	Custom
SourceDeviceMac	source_device_mac	Custom
SourceDeviceModel	source_device_model	Custom
SourceDeviceOS	source_device_os	Custom
SourceDeviceOSFamily	source_device_osfamily	Custom
SourceDeviceOSVersion	source_device_osversion	Custom
SourceDeviceProfile	source_device_profile	Custom
SourceDeviceVendor	source_device_vendor	Custom
SourceDynamicAddressGroup	source_dynamic_address_group	Custom
SourceEDL	source_edl	Custom
src	source_ip.value	Predefined
SourceLocation	source_location	Custom
srcPort	source_port	Predefined
usrName	source_user	Predefined
SourceUserDomain	source_user_info.domain	Custom
SourceUserName	source_user_info.name	Custom
SourceUserUUID	source_user_info.uuid	Custom
SourceUUID	source_uuid	Custom
SubType	sub_type.value	Custom
ApplicationTechnology	technology_of_app	Custom
ThreatCategory	threat_category.value	Custom
ThreatNameFirewall	threat_name_firewall	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
ToZone	to_zone	Custom
Tunnel	tunnel.value	Custom
TunneledApplication	tunneled_app	Custom
IMSI	tunnelid_imsi	Custom
URLCategory	url_category.value	Custom
URL	url_domain	Custom
Users	users	Custom
Vendor	vendor_name	Header
VendorSeverity	vendor_severity.value	Custom
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom
X-Forwarded-ForIP	xff_ip.value	Custom

File HTTPS Fields

GlobalProtect

Strata Logging Service Docs

File LEEF Fields

Strata Logging Service Docs

File LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner